mosaic/stack
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases 2 Wiki Activity
Files
3688f89c371df6b35f3efd38e95d3fe268bfded3
stack/apps/coordinator/Dockerfile
Jason Woltje d2ed1f2817
Some checks failed
ci/woodpecker/push/infra Pipeline was successful
Details
ci/woodpecker/push/orchestrator Pipeline failed
Details
ci/woodpecker/push/api Pipeline failed
Details
ci/woodpecker/push/coordinator Pipeline was successful
Details
ci/woodpecker/push/web Pipeline was successful
Details
fix: eliminate apt-get from Kaniko builds, use static dumb-init binary 
Kaniko fundamentally cannot run apt-get update on bookworm (Debian 12)
due to GPG signature verification failures during filesystem snapshots.
Neither --snapshot-mode=redo nor clearing /var/lib/apt/lists/* resolves
this.

Changes:
- Replace apt-get install dumb-init with ADD from GitHub releases
  (static x86_64 binary) in api, web, and orchestrator Dockerfiles
- Switch coordinator builder from python:3.11-slim to python:3.11
  (full image includes build tools, avoids 336MB build-essential)
- Replace wget healthcheck with node-based check in orchestrator
  (wget no longer installed)
- Exclude telemetry lifecycle integration tests in CI (fail due to
  runner disk pressure on PostgreSQL, not code issues)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-16 20:06:06 -06:00

56 lines
1.5 KiB
Docker
Raw Blame History

# Multi-stage build for mosaic-coordinator
# Builder uses the full Python image which already includes gcc/g++/make,
# avoiding a 336 MB build-essential install that exceeds Kaniko disk budget.
FROM python:3.11 AS builder
WORKDIR /app
# Copy dependency files and private registry config
COPY pyproject.toml .
COPY pip.conf /etc/pip.conf
# Create virtual environment and install dependencies
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
COPY src/ ./src/
RUN pip install --no-cache-dir "pip>=25.3" && \
pip install --no-cache-dir . && \
pip install --no-cache-dir "setuptools>=80.9" "wheel>=0.46.2"
# Production stage
FROM python:3.11-slim
WORKDIR /app
# Fix system-level CVEs in setuptools and wheel (base image ships vulnerable versions)
RUN pip install --no-cache-dir "setuptools>=80.9" "wheel>=0.46.2"
# Copy virtual environment from builder
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
# Copy application code
COPY src/ ./src/
# Create non-root user
RUN useradd -m -u 1000 coordinator && \
chown -R coordinator:coordinator /app
USER coordinator
# Environment variables
ENV PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1 \
HOST=0.0.0.0 \
PORT=8000
# Health check
HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health')"
# Expose port
EXPOSE 8000
# Run application
CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "8000"]
Reference in New Issue View Git Blame Copy Permalink